Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

ASA 8.X : How to deny remote access to LDAP users that don't have Remote Access Permissions

One of the attributes of an Active Directory user is his Remote Access Permission.

This can be found under the Dial-in tab of your user properties:

user prop.JPG

If you have already set this value for all of your users, you might want to reuse it once you setup remote access to your firewall.

There are two ways to allow AnyConnect or IPSec access only to users which have this parameter set:

1.) Dynamic Access Policies

First, you'll need to create a new DAP ( Configuration > Remote Access VPN > Clientless SSL VPN Access > Dynamic Access Policies in ASDM).

Under this new DAP, set a match parameter under the AAA Atributes that verifies that the ldap.msNPAllowDialin is set to TRUE and set the action for this DAP to "Continue" as shown in the following picture:


Once this is done, you only need set the action on the DfltAccessPolicy to "Terminate":


That way, users that have either msNPAllowDialin set to FALSE or which don't have this attribute at all will be denied access.

2.) Group Policy switching through LDAP attribute-map:

With an ldap attribute-map, you can change the group-policy that will be assigned to the user once he connects. If you forbid access on the policy the users will be sent to if he doesn't have Remote Access Permission set, you'll achieve the same effect as with the first technique.

Here is how you can do:

Create the attribute-map

ldap attribute-map AccessRestrict
   map-name  msNPAllowDialin cVPN3000-IETF-Radius-Class
   map-value msNPAllowDialin TRUE AllowVPN
   map-value msNPAllowDialin FALSE NoVPN

As you can see above, the map will send users that don't have msNPAllowDialin set to the NoVPN group-policy while the one that have it will go to the AllowVPN one.

Bound the attribute map to your LDAP server:
aaa-server AD-Server host <IP>
  ldap-attribute-map AccessRestrict

Define the group-policies:

group-policy AllowVPN internal
group-policy AllowVPN attributes
  <Configure Your Users Group-policy Here>

group-policy NoVPN internal
group-policy NoVPN attributes
  vpn-simultaneous-logins 0

Setting vpn-simultaneous-logins to 0 under the NoVPN policy will prevent people that don't have msNPAllowDialin set to login.

  • If you are afraid that some of the users might not have the msNPAllowDialin attribute at all, you might want to set vpn-simultaneous-logins to 0 under the DfltGrpPolicy group-policy. If you do, only users going to the AllowVPN group-policy should be able to login.

Here are some documents that could be useful if you want to learn a bit more on the subject:

<a href=""> ASA 8.x Dynamic Access Policies (DAP) Deployment Guide  </a>

<a href=""> ASA/PIX: Mapping VPN Clients to VPN Group Policies Through LDAP Configuration Example  </a>

Version history
Revision #:
1 of 1
Last update:
‎10-28-2010 05:06 AM
Updated by:
Labels (1)
New Member

Would this work with Windows AD Kerberos Cisco ASA 5510 AAA method, and if not, what are other ways to accomplish it?